Events

Press

Excerpts from The Ransomware Economy: Emergence and Innovation

October 26, 2017 /
Rick McElroySean Blanton

Carbon Black recently published an investigative report on the Dark Web marketplace for ransomware. This is an excerpt from that report, which you can find here. For more information about the rise of ransomware, and what you can do about it, check out the Future-Proof Your Ransomware Prevention webcast hosted by Scott Hanson, Senior Managing Consultant, Cyber Security and Investigations at Kroll.

Underground Ransomware Market: Emergence and Innovation

The 2,502% growth in the dark web ransomware economy has been aided by:

Bitcoin and Tor, which allow for pseudoanonymous activities.

Proliferation of service providers, which allow anyone to get in the business of ransomware.

While ransomware has existed for some time, the proliferation of Bitcoin and Tor have lowered the risk and driven down the barrier to entry for ransomware perpetrators. You no longer need to know how to anonymize your traffic or make and receive payments. These services already exist and can be purchased.

The availability of these services has allowed underground ransomware to hide effectively, making attribution and takedowns by law enforcement extremely difficult. If takedowns do happen, they happen over months or years of hard work.

Not only have the dark web marketplaces evolved to better support high-risk, low-trust transactions through escrow systems, but the requirement for ransoms to be paid over the Tor network has ensured there’s no centralized endpoint to investigate with traditional geo-based law enforcement approaches.

As a result of the maturity with these innovations, the underground ransomware economy is now an industry that resembles commercial software — complete with development, support, distribution, quality assurance and even help desks.

We should also consider consumers’ willingness to pay ransoms. In a recent Carbon Black survey, we asked participants if they would personally be willing to pay ransom money if their personal computer and files were encrypted by ransomware. 52% said “yes.”

______________________________________________

For more information about the rise of ransomware, and what you can do about it, check out the Future-Proof Your Ransomware Prevention webcast hosted by Scott Hanson, Senior Managing Consultant, Cyber Security and Investigations at Kroll.

The Underground Ransomware Economy and Supply Chain

Based on our research, the dark web ransomware market currently consists of the following tiers and players:

TIER 1: AUTHORS

Authors are responsible for:

Creation of new ransomware for sale

Advanced coding skills

Training and support

Think of authors as the “weapons makers.” They never use what they create. They only sell their code. They also sell support or changes to the code.

Authors make money (sometimes $100,000+ per year, according to our research) by: selling the ransomware code itself; selling a platform to author code (for others who don’t actually have coding skills); and / or teaching others to code.

Authors can sell the specialized components of ransomware in the supply chain (creation, distribution, encryption, payment, C2) or they can sell an entire kit to a buyer. These kits contain everything you need to build and customize your ransomware.

TIER 2: RANSOMWARE-AS-A-SERVICE (RaaS)

In some cases, ransomware authors will stand up ransomware-as-a-service (RaaS) platforms. In others, buyers will purchase the platform from an author and stand up their own service.

In this area, a ransomware author might decide to begin an “affiliate” program to earn money while minimizing risk.

An “affiliate” will look to utilize existing infrastructure to achieve speed to market, minimize and share risk amongst affiliates, and provide target lists.

Here’s how the process generally works:

Distributors buy “shares” in a ransomware campaign. The revenue split is usually agreed upon at the beginning.

The service owner embeds the split in their distribution servers. The distribution servers are then used to track the campaign (metrics, etc). In most cases, the revenue share favors the distributors because they do the distribution. The distributor takes on the most risk because they have to make changes to make the code less detectable and preventable.

TIER 3: DISTRIBUTORS

Leveraging ransomware-as-a-service. RaaS makes ransomware available to even novice criminals.

Additional Resources

For more information about the rise of ransomware, and what you can do about it, check out the Future-Proof Your Ransomware Prevention webcast hosted by Scott Hanson, Senior Managing Consultant, Cyber Security and Investigations at Kroll.